Kerberos for authentication, php for authorization
Simon Wilkinson
simon at sxw.org.uk
Fri Jun 8 04:00:09 EDT 2007
On 7 Jun 2007, at 15:24, " " <slushpupie at gmail.com>
<slushpupie at gmail.com> wrote:
> mod_auth_kerb works great in the right conditions. You must be using
> IE or a newer Firefox. Linux works great (not sure about other Unix
> systems). On Windows the two browsers can only acquire credentials
> from the LSA which means the workstation needs to be joined to a
> domain, I believe.
It works with both recent Opera and Safari too, for some definition
of works.
Where you hit problems is where the name of your webserver is not the
hostname of your machine. Different browsers handle this situation in
different ways. Some (Firefox) use the DNS to canonicalise the name -
so meaning that you (should) always see GSSAPI requests for HTTP/
<hostname> principals. Others (Safari) use the name as entered by the
user with no canonicalisation.
Ultimately, this means you may need to have a keytab containing
multiple different prinicpals for your service, and have
mod_auth_kerb accept any one of these principals. Unfortunately, the
code isn't there to do that in current mod_auth_kerb's. Russ posted a
patch by iterating through every key in the keytab - that should be
available from the mod_auth_kerb mailing list. I also have a simpler
patch that uses the new behaviour of gss_accept_sec_context when the
server credentials are set to GSS_C_NO_CREDENTIAL, that I must
contribute upstream.
Cheers,
Simon.
More information about the Kerberos
mailing list